On 23-09-2012 21:30, admin wrote:
Jpgs can hold other data rather than image data
One thing to try is to run strip_tags($image) to remove any php code
http://stackoverflow.com/questions/3499173/my-php-site-was-hacked-by-codes-u
ploaded-as-image
http://josephkeeler.com/2009/04/php-upload-security-the-1x1-jpeg-hack/
Bastien
I understand the principle behind
include('pages/' . $_GET['page'] . '.php');
http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00
Which I find ridiculous if anyone did that.
I am not sure how he was calling the image to be sure. I watched him upload
the image and then
Do what looked like a normal echo UPLOADED_IMAGES.$_FILE["name"]; You seen
phpinfo() called but it was not in the script rather in the image.
He opened the test.jpg in a text editor and sure enough there was <?php
phpinfo(); ?> in the code of the jpeg.
This bothers me because I am not sure what all he did. He was proving PHP is
not a safe language in front of a rather large group or people in the
meeting.
I could only look on in disbelief that it just happened in front of me.
Everything inside of me wants to say he was doing something outside of what
I consider normal circumstances.
My question is this:
If someone uploads a image through a form or whatever and they have embedded
a code in can that code inside the image be executed by viewing the file?
The answer to this is both yes and no. It all depends on:
a) what you do with the file
b) how your webserver is set up / configured
PHP scripts are executed using the PHP interpreter. This means, that for
a PHP script to be executed, the server needs to:
1. assume the requested file is a PHP script
2. run the PHP interpreter, and provide it the requested file
3. return the output from the PHP interpreter
Most sane servers, when they get a request for a .jpg file, do not
assume it's a PHP script, and simply return the raw image, which might
include PHP script, but which will never be run by any sane person.
Some servers however, are configured to run everything through the PHP
interpreter, before returning its output. In this case: yes, bad stuff
will happen.
Alternatively, it's possible to run code in files from within other
files. An example of this was given above, where you showed that
including a file containing PHP code will execute that code. Regardless
of what the file is exactly.
In practice I must admit I have very rarely seen this exploit in action,
since most proper servers and scripts are configured / coded by sane
enough people for this not to be possible. Unfortunately, if you come
across a novice coder, (s)he might use the include 'someImage.jpg'
technique to return images, instead of echo
file_get_contents('someImage.jpg'), which under these circumstances is
a much safer way of doing the same thing.
- Tul
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
